Bug 1706293 - pam-u2f is no longer working after upgrade to F30
Summary: pam-u2f is no longer working after upgrade to F30
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libu2f-host
Version: 30
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Seth Jennings
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-04 05:17 UTC by Peter Bieringer
Modified: 2019-06-19 22:45 UTC (History)
4 users (show)

Fixed In Version: libu2f-host-1.1.10-1.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-19 22:45:12 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Peter Bieringer 2019-05-04 05:17:28 UTC 
Description of problem:
in F29, pam-u2f was successfully configured, after upgrade to F30 it's no longer working proper

Version-Release number of selected component (if applicable):
pam-u2f-1.0.7-3.fc30.x86_64


How reproducible:
always

Steps to Reproduce:
1. enable pam-u2f e.g. for su on F29
2. upgrade to F30

Actual results:
token is not blinking anymore and button push will not help

Expected results:
working as with F29

Additional info:
it's still working via enabled Firefox browser, so no general problem
https://demo.yubico.com/webauthn-technical/


/etc/pam.d/su (extension):
auth       sufficient   pam_u2f.so interactive cue

in debug mode, following lines are shown

$ su -
debug(pam_u2f): pam-u2f.c:94 (parse_cfg): called.
debug(pam_u2f): pam-u2f.c:95 (parse_cfg): flags 0 argc 3
debug(pam_u2f): pam-u2f.c:97 (parse_cfg): argv[0]=interactive
debug(pam_u2f): pam-u2f.c:97 (parse_cfg): argv[1]=cue
debug(pam_u2f): pam-u2f.c:97 (parse_cfg): argv[2]=debug
debug(pam_u2f): pam-u2f.c:99 (parse_cfg): max_devices=0
debug(pam_u2f): pam-u2f.c:100 (parse_cfg): debug=1
debug(pam_u2f): pam-u2f.c:101 (parse_cfg): interactive=1
debug(pam_u2f): pam-u2f.c:102 (parse_cfg): cue=1
debug(pam_u2f): pam-u2f.c:103 (parse_cfg): nodetect=0
debug(pam_u2f): pam-u2f.c:104 (parse_cfg): manual=0
debug(pam_u2f): pam-u2f.c:105 (parse_cfg): nouserok=0
debug(pam_u2f): pam-u2f.c:106 (parse_cfg): openasuser=0
debug(pam_u2f): pam-u2f.c:107 (parse_cfg): alwaysok=0
debug(pam_u2f): pam-u2f.c:108 (parse_cfg): authfile=(null)
debug(pam_u2f): pam-u2f.c:109 (parse_cfg): authpending_file=(null)
debug(pam_u2f): pam-u2f.c:110 (parse_cfg): origin=(null)
debug(pam_u2f): pam-u2f.c:111 (parse_cfg): appid=(null)
debug(pam_u2f): pam-u2f.c:112 (parse_cfg): prompt=(null)
debug(pam_u2f): pam-u2f.c:157 (pam_sm_authenticate): Origin not specified, using "pam://***"
debug(pam_u2f): pam-u2f.c:168 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://***)
debug(pam_u2f): pam-u2f.c:180 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): pam-u2f.c:198 (pam_sm_authenticate): Requesting authentication for user root
debug(pam_u2f): pam-u2f.c:209 (pam_sm_authenticate): Found user root
debug(pam_u2f): pam-u2f.c:210 (pam_sm_authenticate): Home directory for root is /root
debug(pam_u2f): pam-u2f.c:216 (pam_sm_authenticate): Variable XDG_CONFIG_HOME is not set. Using default value ($HOME/.config/)
debug(pam_u2f): pam-u2f.c:245 (pam_sm_authenticate): Using default authentication file /root/.config/Yubico/u2f_keys
debug(pam_u2f): util.c:102 (get_devices_from_authfile): Authorization line: root:***
debug(pam_u2f): util.c:107 (get_devices_from_authfile): Matched user: root
debug(pam_u2f): util.c:134 (get_devices_from_authfile): KeyHandle for device number 1: ***
debug(pam_u2f): util.c:153 (get_devices_from_authfile): publicKey for device number 1: ***
debug(pam_u2f): util.c:164 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): util.c:191 (get_devices_from_authfile): Found 1 device(s) for user root
debug(pam_u2f): pam-u2f.c:317 (pam_sm_authenticate): Using file '/var/run/user/1001/pam-u2f-authpending' for emitting touch request notifications
Insert your U2F device, then press ENTER.
USB send: 00ffffffff***
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: ffffffff****
device /dev/hidraw2 discovered as 'ePass FIDO'
  version (Interface, Major, Minor, Build): 2, 1, 0, 1  capFlags: 3
debug(pam_u2f): util.c:272 (do_authentication): Device max index is 0
debug(pam_u2f): util.c:303 (do_authentication): Attempting authentication with device number 1
debug(pam_u2f): util.c:327 (do_authentication): Challenge: { "keyHandle": "***", "version": "U2F_V2", "challenge": "***", "appId": "pam:\/\/***" }
JSON: { "keyHandle": "***", "version": "U2F_V2", "challenge": "***", "appId": "pam:\/\/***" }
JSON challenge URL-B64: ***
client data: { "challenge": "***", "origin": "pam:\/\/***", "typ": "navigator.id.getAssertion" }
JSON: { "keyHandle": "***, "version": "U2F_V2", "challenge": "***", "appId": "pam:\/\/***" }
JSON app_id pam://***
JSON: { "keyHandle": "***", "version": "U2F_V2", "challenge": "***", "appId": "pam:\/\/***" }
JSON keyHandle URL-B64: ***
USB send: 0001***
USB write returned 65
USB send: 0001***
USB write returned 65
USB send: 0001***
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: 0100***
USB rc -2
debug(pam_u2f): util.c:363 (do_authentication): Device for this keyhandle is not present.
USB send: 000***
USB write returned 65
now trying with timeout 2
now trying with timeout 4
now trying with timeout 8
now trying with timeout 16
now trying with timeout 32
now trying with timeout 64
now trying with timeout 128
now trying with timeout 256
USB read rc read 64
USB recv: 01000***
Device /dev/hidraw2 failed ping, dead.


try to use pamu2fcfg, it also fails on F30

pamu2fcfg -d
USB send: 00fff***
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: ffffff***
device /dev/hidraw2 discovered as 'ePass FIDO'
  version (Interface, Major, Minor, Build): 2, 1, 0, 1  capFlags: 3
JSON: { "challenge": "***", "version": "U2F_V2", "appId": "pam:\/\/***" }
JSON challenge URL-B64: ***
client data: { "challenge": "***", "origin": "pam:\/\/***", "typ": "navigator.id.finishEnrollment" }
JSON: { "challenge": "***", "version": "U2F_V2", "appId": "pam:\/\/***" }
JSON app_id pam://***
USB send: 0002***
USB write returned 65
USB send: 0002***
USB write returned 65
now trying with timeout 2
USB read rc read 64
USB recv: 020000***
USB rc -2
Unable to generate registration challenge, error in transport layer (-2)


also it won't approve if selinux is in permissive mode
Comment 1 Seth Jennings 2019-05-07 14:21:22 UTC 
This is working for me on F30 with selinux Enforcing.  Granted I have:

device /dev/hidraw8 discovered as 'Yubikey NEO OTP+U2F+CCID'

vs

device /dev/hidraw2 discovered as 'ePass FIDO'

Makes me think it is a udev rule issue. What is the mode on your /dev/hidraw device?  Mine is 0660.
Comment 2 Alberto Gonzalez 2019-05-19 07:44:44 UTC 
I observe the same failure. For me, downloading the package libu2f-host to version 1.1.6-3 will work correctly again.
These are the versions that work for me:

libu2f-host-1.1.6-3.fc30.x86_64
libu2f-server-1.0.1-14.fc30.x86_64
pam-u2f-1.0.7-3.fc30.x86_64
pamu2fcfg-1.0.7-3.fc30.x86_64
u2f-hidraw-policy-1.0.2-9.fc30.x86_64
Comment 3 Alberto Gonzalez 2019-05-19 08:07:26 UTC 
More info.
I have a "ePass FIDO NFC" configured as U2F+HOTP:

[58085.343272] usb 1-5.3: new full-speed USB device number 13 using xhci_hcd
[58085.421467] usb 1-5.3: New USB device found, idVendor=096e, idProduct=0854, bcdDevice=44.01
[58085.421471] usb 1-5.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[58085.421474] usb 1-5.3: Product: FIDO KB
[58085.421477] usb 1-5.3: Manufacturer: FT
[58085.430330] input: FT FIDO KB as /devices/pci0000:00/0000:00:14.0/usb1/1-5/1-5.3/1-5.3:1.0/0003:096E:0854.000C/input/input24
[58085.482894] hid-generic 0003:096E:0854.000C: input,hidraw3: USB HID v1.00 Keyboard [FT FIDO KB] on usb-0000:00:14.0-5.3/input0
[58085.484020] hid-generic 0003:096E:0854.000D: hiddev96,hidraw4: USB HID v1.00 Device [FT FIDO KB] on usb-0000:00:14.0-5.3/input1

And this is my PAM setting:

auth        sufficient    pam_u2f.so authfile=/etc/pam_u2f.conf
Comment 4 Peter Bieringer 2019-05-19 09:17:40 UTC 
can confirm, downgrading to libu2f-host-1.1.6-3.fc30 from

https://koji.fedoraproject.org/koji/buildinfo?buildID=1191479

works, so looks like a problem was introduced between 1.1.6 and 1.1.8
Comment 5 Tom Yates 2019-05-31 17:59:45 UTC 
https://github.com/Yubico/pam-u2f/issues/114 suggests that this is a known problem with libu2f-host 1.1.8:

"There have been a couple of releases of libu2f-host recently. Make sure you have the latest one (1.1.9) since the previous one broke compatibility with a few devices."

and that upgrading to 1.1.9 would also fix it.
Comment 6 Fedora Update System 2019-06-01 03:23:19 UTC 
FEDORA-2019-bb6f6f6569 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bb6f6f6569
Comment 7 Fedora Update System 2019-06-02 01:43:10 UTC 
libu2f-host-1.1.10-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bb6f6f6569
Comment 8 Alberto Gonzalez 2019-06-19 13:19:21 UTC 
I can confirm that libu2f-host-1.1.10-1.fc30 works with Feitian U2F keys.
Comment 9 Fedora Update System 2019-06-19 22:45:12 UTC 
libu2f-host-1.1.10-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.